diff --git a/patches/nginx-1.11.2-guarded_SSL_R_NO_CIPHERS_PASSED_not_present_in_OpenSSL_1.1.0.patch b/patches/nginx-1.11.2-guarded_SSL_R_NO_CIPHERS_PASSED_not_present_in_OpenSSL_1.1.0.patch new file mode 100644 index 0000000..fd59562 --- /dev/null +++ b/patches/nginx-1.11.2-guarded_SSL_R_NO_CIPHERS_PASSED_not_present_in_OpenSSL_1.1.0.patch @@ -0,0 +1,23 @@ +# HG changeset patch +# User Sergey Kandaurov +# Date 1470653089 -10800 +# Node ID 1891b2892b68223dcc8f6bec7205d0d8c03682d5 +# Parent 7d4e33092e2abe92f0b904e5dadad4728eb12257 +SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 1.1.0. + +It was removed in OpenSSL 1.1.0 Beta 3 (pre-release 6). It was +not used since OpenSSL 1.0.1n and 1.0.2b. + +diff -r 7d4e33092e2a -r 1891b2892b68 src/event/ngx_event_openssl.c +--- a/src/event/ngx_event_openssl.c Thu Aug 04 23:43:10 2016 +0300 ++++ b/src/event/ngx_event_openssl.c Mon Aug 08 13:44:49 2016 +0300 +@@ -2023,7 +2023,9 @@ + || n == SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST /* 151 */ + || n == SSL_R_EXCESSIVE_MESSAGE_SIZE /* 152 */ + || n == SSL_R_LENGTH_MISMATCH /* 159 */ ++#ifdef SSL_R_NO_CIPHERS_PASSED + || n == SSL_R_NO_CIPHERS_PASSED /* 182 */ ++#endif + || n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */ + || n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */ + || n == SSL_R_NO_SHARED_CIPHER /* 193 */ diff --git a/patches/ngx_http_encrypted_session-0.06-init_cipher_ctx_indirectly.patch b/patches/ngx_http_encrypted_session-0.06-init_cipher_ctx_indirectly.patch new file mode 100644 index 0000000..3a1b7d6 --- /dev/null +++ b/patches/ngx_http_encrypted_session-0.06-init_cipher_ctx_indirectly.patch @@ -0,0 +1,119 @@ +diff --git a/src/ngx_http_encrypted_session_cipher.c b/src/ngx_http_encrypted_session_cipher.c +index 5c8da81..3f2fed8 100644 +--- a/src/ngx_http_encrypted_session_cipher.c ++++ b/src/ngx_http_encrypted_session_cipher.c +@@ -26,7 +26,7 @@ + const u_char *in, size_t in_len, ngx_uint_t expires, u_char **dst, + size_t *dst_len) + { +- EVP_CIPHER_CTX ctx; ++ EVP_CIPHER_CTX *ctx; + const EVP_CIPHER *cipher; + u_char *p, *data; + int ret; +@@ -39,7 +39,7 @@ + return NGX_ERROR; + } + +- EVP_CIPHER_CTX_init(&ctx); ++ EVP_CIPHER_CTX_init(ctx); + + cipher = EVP_aes_256_cbc(); + +@@ -83,28 +83,28 @@ + + p += MD5_DIGEST_LENGTH; + +- ret = EVP_EncryptInit(&ctx, cipher, key, iv); ++ ret = EVP_EncryptInit(ctx, cipher, key, iv); + if (!ret) { + goto evp_error; + } + + /* encrypt the raw input data */ + +- ret = EVP_EncryptUpdate(&ctx, p, &len, data, data_size); ++ ret = EVP_EncryptUpdate(ctx, p, &len, data, data_size); + if (!ret) { + goto evp_error; + } + + p += len; + +- ret = EVP_EncryptFinal(&ctx, p, &len); ++ ret = EVP_EncryptFinal(ctx, p, &len); + if (!ret) { + return NGX_ERROR; + } + + /* XXX we should still explicitly release the ctx + * or we'll leak memory here */ +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_cleanup(ctx); + + p += len; + +@@ -121,7 +121,7 @@ + + evp_error: + +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_cleanup(ctx); + + return NGX_ERROR; + } +@@ -132,7 +132,7 @@ + const u_char *iv, size_t iv_len, const u_char *key, size_t key_len, + const u_char *in, size_t in_len, u_char **dst, size_t *dst_len) + { +- EVP_CIPHER_CTX ctx; ++ EVP_CIPHER_CTX *ctx; + const EVP_CIPHER *cipher; + int ret; + size_t block_size, buf_size; +@@ -152,11 +152,11 @@ + + digest = in; + +- EVP_CIPHER_CTX_init(&ctx); ++ EVP_CIPHER_CTX_init(ctx); + + cipher = EVP_aes_256_cbc(); + +- ret = EVP_DecryptInit(&ctx, cipher, key, iv); ++ ret = EVP_DecryptInit(ctx, cipher, key, iv); + if (!ret) { + goto evp_error; + } +@@ -173,7 +173,7 @@ + + *dst = p; + +- ret = EVP_DecryptUpdate(&ctx, p, &len, in + MD5_DIGEST_LENGTH, ++ ret = EVP_DecryptUpdate(ctx, p, &len, in + MD5_DIGEST_LENGTH, + in_len - MD5_DIGEST_LENGTH); + + if (!ret) { +@@ -183,11 +183,11 @@ + + p += len; + +- ret = EVP_DecryptFinal(&ctx, p, &len); ++ ret = EVP_DecryptFinal(ctx, p, &len); + + /* XXX we should still explicitly release the ctx + * or we'll leak memory here */ +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_cleanup(ctx); + + if (!ret) { + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, log, 0, +@@ -249,7 +249,7 @@ + + evp_error: + +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_cleanup(ctx); + + return NGX_ERROR; + } diff --git a/patches/ngx_lua-0.10.8-support_openssl_1.1.0.patch b/patches/ngx_lua-0.10.8-support_openssl_1.1.0.patch new file mode 100644 index 0000000..bcfb25e --- /dev/null +++ b/patches/ngx_lua-0.10.8-support_openssl_1.1.0.patch @@ -0,0 +1,56 @@ +diff --git a/src/ngx_http_lua_ssl_ocsp.c b/src/ngx_http_lua_ssl_ocsp.c +index 3904aa8e..71d40e74 100644 +--- a/src/ngx_http_lua_ssl_ocsp.c ++++ b/src/ngx_http_lua_ssl_ocsp.c +@@ -468,7 +468,11 @@ ngx_http_lua_ffi_ssl_set_ocsp_status_resp(ngx_http_request_t *r, + return NGX_ERROR; + } + ++#ifdef SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE ++ if (SSL_get_tlsext_status_type(ssl_conn) == -1) { ++#else + if (ssl_conn->tlsext_status_type == -1) { ++#endif + dd("no ocsp status req from client"); + return NGX_DECLINED; + } +@@ -490,7 +494,11 @@ ngx_http_lua_ffi_ssl_set_ocsp_status_resp(ngx_http_request_t *r, + + dd("set ocsp resp: resp_len=%d", (int) resp_len); + (void) SSL_set_tlsext_status_ocsp_resp(ssl_conn, p, resp_len); ++#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE ++ SSL_set_tlsext_status_type(ssl_conn, TLSEXT_STATUSTYPE_ocsp); ++#else + ssl_conn->tlsext_status_expected = 1; ++#endif + + return NGX_OK; + +diff --git a/src/ngx_http_lua_ssl_session_storeby.c b/src/ngx_http_lua_ssl_session_storeby.c +index b5596bc7..6e132a31 100644 +--- a/src/ngx_http_lua_ssl_session_storeby.c ++++ b/src/ngx_http_lua_ssl_session_storeby.c +@@ -172,6 +172,8 @@ int + ngx_http_lua_ssl_sess_store_handler(ngx_ssl_conn_t *ssl_conn, + ngx_ssl_session_t *sess) + { ++ const u_char *sess_id; ++ unsigned int sess_id_len; + lua_State *L; + ngx_int_t rc; + ngx_connection_t *c, *fc = NULL; +@@ -246,11 +248,12 @@ ngx_http_lua_ssl_sess_store_handler(ngx_ssl_conn_t *ssl_conn, + } + } + ++ sess_id = SSL_SESSION_get_id(sess, &sess_id_len); + cctx->connection = c; + cctx->request = r; + cctx->session = sess; +- cctx->session_id.data = sess->session_id; +- cctx->session_id.len = sess->session_id_length; ++ cctx->session_id.data = (u_char *) sess_id; ++ cctx->session_id.len = sess_id_len; + cctx->done = 0; + + dd("setting cctx"); diff --git a/util/mirror-tarballs b/util/mirror-tarballs index 2da01f1..cf09f99 100755 --- a/util/mirror-tarballs +++ b/util/mirror-tarballs @@ -335,6 +335,8 @@ echo echo "$info_txt applying the safe_resolver_ipv6_option patch for nginx" patch -p1 < $root/patches/nginx-$main_ver-safe_resolver_ipv6_option.patch || exit 1 +echo "$info_txt applying the guarded_SSL_R_NO_CIPHERS_PASSED_not_present_in_OpenSSL_1.1.0 patch for nginx" +patch -p1 < $root/patches/nginx-$main_ver-guarded_SSL_R_NO_CIPHERS_PASSED_not_present_in_OpenSSL_1.1.0.patch || exit 1 echo cp $root/html/index.html docs/html/ || exit 1 @@ -412,6 +414,12 @@ $root/util/get-tarball "https://github.com/openresty/lua-nginx-module/tarball/v$ tar -xzf lua-nginx-module-$ver.tar.gz || exit 1 mv openresty-lua-nginx-module-* ngx_lua-$ver || exit 1 +cd ngx_lua-$ver +echo "applying ngx_lua-$ver-support_openssl_1.1.0.patch" +patch -p1 < $root/patches/ngx_lua-$ver-support_openssl_1.1.0.patch || exit 1 +echo +cd .. + ################################# ver=0.06 @@ -461,6 +469,12 @@ $root/util/get-tarball "https://github.com/openresty/encrypted-session-nginx-mod tar -xzf encrypted-session-nginx-module-$ver.tar.gz || exit 1 mv openresty-encrypted-session-nginx-module-* encrypted-session-nginx-module-$ver || exit 1 +cd encrypted-session-nginx-module-$ver +echo "applying ngx_http_encrypted_session-$ver-init_cipher_ctx_indirectly.patch" +patch -p1 < $root/patches/ngx_http_encrypted_session-$ver-init_cipher_ctx_indirectly.patch || exit 1 +echo +cd .. + #################################